Yes, you are right that embedding this library presents a security risk, in
particular when the package plus its embedded library gets older and new
security issues are found in mbedtls.
The segmentation fault now caused by mbedtls was the reason this code was
embedded, it didn't have a segmentation fault then.
Upstream is looking into this how to solve this.